Bringing over 20 years of compliance experience in the payer and provider sides of healthcare, she gave her perspective as an HIE that recently achieved certification, as well as from the time when she was skeptical about embarking on the HITRUST journey.

The CSF provided a robust structure that addressed all areas of info security.

The framework gave them continuity and tied fragmented areas in their program together.

The rigor of CSF allowed them to focus on translating requirements in to action tailored to DHIN.

Next, BluePrint’s Vice President and CISO, Mark Ferrari, covered the top four reasons why HITRUST is specifically valuable for HIEs.

Reason #1: Access Control

As one of the deepest domains included in HITRUST CSF, access control is arguably the most important to HIEs. From our experience, it makes up about 20 percent of a HITRUST engagement for our customers and is one of two domains that have the most requirements.

To pass this domain, organizations must have well developed and demonstrable access management processes.

HIEs not only have to demonstrate strict access control within their organization, but also must govern access among HIE users.

Reason #2: Transmission Security

HIEs are structured to send and receive important data via real-time HL7, ADT feeds, flat files or other formats. Partner organizations use that information to aggregate, analyze and build reports among others.

Governance of transmission security is a separate domain with its own focus and deep specificity. This domain ensures that data is not shared in any unsecured means.

HIEs must conduct thorough due diligence when initially vetting potential data vendors and members, as well as creating business agreements. However, many times, that’s where third party oversight ends.

Here, you want to ensure that you have policies, procedures and actions that clearly outline who has access, when they have access and around what data, as well as steps to take if activities fall outside these parameters.

Reason #4: Building Trust among Data Contributors & Participants

The bottom line is, without the ongoing confidence of data contributors, the HIE model is unsustainable.

Demonstrating adherence to the strict HITRUST framework is a differentiator for HIEs, mainly, because HITRUST is more rigorous than singular models like ISO, NIST, HIPAA Security Rule, alone.

They keys to your success as an HIE pursuing HITRUST certification include:

Adopting the CSF framework and demonstrating compliance. Action that is connected to solid policies and procedures is paramount.

Proving that you are in fact doing what you say you are doing. Think about evidence as you proceed through the “HITRUST journey.” What evidence do you have that shows that you act on and live out your written procedures?

Implementing a strong information security program. To certify under HITRUST, organizations must pass every domain individually. Doing this requires you to address the 19 domains of HITRUST (shown below) within your program.

Stay tuned for our next blog where we’ll share the questions raised during the HITRUST for HIE webinar and highlights from our three-phase approach to HITRUST certification.